• Skip to main content
  • Skip to header right navigation
  • Skip to site footer
Restore Privacy

Restore Privacy

Resources to stay safe and secure online

  • News
  • Tools
    • Secure Browser
    • VPN
    • Ad Blocker
    • Secure Email
    • Private Search Engine
    • Data Removal
      • Incogni Review
    • Password Manager
    • Secure Messaging App
    • Tor
    • Identity Theft Protection
    • Unblock Websites
    • Privacy Tools
  • Email
    • Secure Email
    • ProtonMail Review
    • Tutanota Review
    • Mailfence Review
    • Mailbox.org Review
    • Hushmail Review
    • Posteo Review
    • Fastmail Review
    • Runbox Review
    • CTemplar Review
    • Temporary Disposable Email
    • Encrypted Email
    • Alternatives to Gmail
  • VPN
    • What is VPN
    • VPN Reviews
      • NordVPN Review
      • Surfshark VPN Review
      • VyprVPN Review
      • Perfect Privacy Review
      • ExpressVPN Review
      • CyberGhost Review
      • AVG VPN Review
      • IPVanish Review
      • Hotspot Shield VPN Review
      • ProtonVPN Review
      • Atlas VPN Review
      • Private Internet Access Review
      • Avast VPN Review
      • TorGuard Review
      • PrivadoVPN Review
    • VPN Comparison
      • NordVPN vs ExpressVPN
      • NordVPN vs PIA
      • IPVanish vs ExpressVPN
      • CyberGhost vs NordVPN
      • Surfshark vs NordVPN
      • IPVanish vs NordVPN
      • ExpressVPN vs PIA
      • VyprVPN vs NordVPN
      • CyberGhost vs ExpressVPN
      • NordVPN vs HideMyAss
      • ExpressVPN vs ProtonVPN
      • Atlas VPN vs NordVPN
      • ExpressVPN vs Surfshark
      • NordVPN vs Proton VPN
      • Surfshark vs CyberGhost
      • Surfshark vs IPVanish
    • Best VPNs
      • Best VPN for Torrenting
      • Best VPN for Netflix
      • Best Free VPN
      • VPN for Firestick TV
      • Best VPN for Android
      • Best VPN for Gaming
      • Best VPN for PC
      • Best VPN for Disney Plus
      • Best VPN for Hulu
      • Best VPN for Mac
      • Best VPN for Streaming
      • Best VPN for Windows
      • Best VPN for iPhone
    • VPN Coupons
      • ExpressVPN Coupon
      • NordVPN Coupon
      • Cyber Monday VPN Deals
      • NordVPN Cyber Monday
      • Surfshark VPN Cyber Monday
      • ExpressVPN Cyber Monday
    • VPN Guides
      • Free Trial VPN
      • Cheap VPNs
      • Static IP VPN
      • VPN Ad Blocking
      • No Logs VPN
      • Best VPN Chrome
      • Best VPN Reddit
      • Split Tunneling VPN
      • VPN for Binance
      • WireGuard VPN
      • VPN for Amazon Prime
      • VPN for Linux
      • VPN for iPad
      • VPN for Firefox
      • VPN for BBC iPlayer
    • By Country
      • Best VPN Canada
      • Best VPN USA
      • Best VPN UK
      • Best VPN Australia
      • VPN for Russia
    • VPN Router
  • Password
    • Best Password Managers
    • Comparisons
      • NordPass vs 1Password
      • 1Password vs LastPass
      • NordPass vs LastPass
      • RoboForm vs NordPass
      • 1Password vs Bitwarden
      • Dashlane vs NordPass
      • 1Password vs Dashlane
      • NordPass vs Bitwarden
    • KeePass Review
    • NordPass Review
    • 1Password Review
    • Dashlane Review
    • RoboForm Review
    • LastPass Review
    • Bitwarden Review
    • Strong Password
  • Storage
    • Best Cloud Storage
    • pCloud Review
    • Nextcloud Review
    • IDrive Review
    • SpiderOak Review
    • Sync.com Review
    • MEGA Cloud Review
    • NordLocker Review
    • Tresorit Review
    • Google Drive Alternatives
  • Messenger
    • Secure Messaging Apps
    • Signal Review
    • Telegram Review
    • Wire Review
    • Threema Review
    • Session Review
  • Info
    • Mission
    • Press
    • Contact
  • News
  • Tools
    • Secure Browser
    • VPN
    • Ad Blocker
    • Secure Email
    • Private Search Engine
    • Data Removal
      • Incogni Review
    • Password Manager
    • Secure Messaging App
    • Tor
    • Identity Theft Protection
    • Unblock Websites
    • Privacy Tools
  • Email
    • Secure Email
    • ProtonMail Review
    • Tutanota Review
    • Mailfence Review
    • Mailbox.org Review
    • Hushmail Review
    • Posteo Review
    • Fastmail Review
    • Runbox Review
    • CTemplar Review
    • Temporary Disposable Email
    • Encrypted Email
    • Alternatives to Gmail
  • VPN
    • What is VPN
    • VPN Reviews
      • NordVPN Review
      • Surfshark VPN Review
      • VyprVPN Review
      • Perfect Privacy Review
      • ExpressVPN Review
      • CyberGhost Review
      • AVG VPN Review
      • IPVanish Review
      • Hotspot Shield VPN Review
      • ProtonVPN Review
      • Atlas VPN Review
      • Private Internet Access Review
      • Avast VPN Review
      • TorGuard Review
      • PrivadoVPN Review
    • VPN Comparison
      • NordVPN vs ExpressVPN
      • NordVPN vs PIA
      • IPVanish vs ExpressVPN
      • CyberGhost vs NordVPN
      • Surfshark vs NordVPN
      • IPVanish vs NordVPN
      • ExpressVPN vs PIA
      • VyprVPN vs NordVPN
      • CyberGhost vs ExpressVPN
      • NordVPN vs HideMyAss
      • ExpressVPN vs ProtonVPN
      • Atlas VPN vs NordVPN
      • ExpressVPN vs Surfshark
      • NordVPN vs Proton VPN
      • Surfshark vs CyberGhost
      • Surfshark vs IPVanish
    • Best VPNs
      • Best VPN for Torrenting
      • Best VPN for Netflix
      • Best Free VPN
      • VPN for Firestick TV
      • Best VPN for Android
      • Best VPN for Gaming
      • Best VPN for PC
      • Best VPN for Disney Plus
      • Best VPN for Hulu
      • Best VPN for Mac
      • Best VPN for Streaming
      • Best VPN for Windows
      • Best VPN for iPhone
    • VPN Coupons
      • ExpressVPN Coupon
      • NordVPN Coupon
      • Cyber Monday VPN Deals
      • NordVPN Cyber Monday
      • Surfshark VPN Cyber Monday
      • ExpressVPN Cyber Monday
    • VPN Guides
      • Free Trial VPN
      • Cheap VPNs
      • Static IP VPN
      • VPN Ad Blocking
      • No Logs VPN
      • Best VPN Chrome
      • Best VPN Reddit
      • Split Tunneling VPN
      • VPN for Binance
      • WireGuard VPN
      • VPN for Amazon Prime
      • VPN for Linux
      • VPN for iPad
      • VPN for Firefox
      • VPN for BBC iPlayer
    • By Country
      • Best VPN Canada
      • Best VPN USA
      • Best VPN UK
      • Best VPN Australia
      • VPN for Russia
    • VPN Router
  • Password
    • Best Password Managers
    • Comparisons
      • NordPass vs 1Password
      • 1Password vs LastPass
      • NordPass vs LastPass
      • RoboForm vs NordPass
      • 1Password vs Bitwarden
      • Dashlane vs NordPass
      • 1Password vs Dashlane
      • NordPass vs Bitwarden
    • KeePass Review
    • NordPass Review
    • 1Password Review
    • Dashlane Review
    • RoboForm Review
    • LastPass Review
    • Bitwarden Review
    • Strong Password
  • Storage
    • Best Cloud Storage
    • pCloud Review
    • Nextcloud Review
    • IDrive Review
    • SpiderOak Review
    • Sync.com Review
    • MEGA Cloud Review
    • NordLocker Review
    • Tresorit Review
    • Google Drive Alternatives
  • Messenger
    • Secure Messaging Apps
    • Signal Review
    • Telegram Review
    • Wire Review
    • Threema Review
    • Session Review
  • Info
    • Mission
    • Press
    • Contact

Malvertizing Network with 12 Billion Daily Bid Requests Taken Down

January 19, 2023 By Heinrich Long — 8 Comments
Malvertising

HUMAN’s Satori threat intelligence team has mapped and taken down a massive malvertizing operation they named ‘VASTFLUX.’

The operation injected malicious JavaScript code into digital banner ads within applications, allowing the fraudsters to stack numerous invisible video ad players behind one another and register ad views that generated revenue.

At its peak, VASTFLUX generated 12 billion bid requests, and over the course of its operation, it spoofed over 1,700 applications and 120 publishers, and ran inside 11 million compromised devices.

While fraudulent ads might not directly threaten the privacy and security of mobile users, they still degrade their experience, cause significant stretch on their battery consumption, and incur unnecessary data charges.

Keeping the Scheme Invisible

The goal of the VASTFLUX scheme was to inject scripts into banner ads within applications that decrypted ad configurations and contacted a command and control (C2) server to acquire further instructions like what ad to display on the hijacked banner.

Sample of decrypted configuration sent by the C2 server, defining the banner size and position
HUMAN

HUMAN’s post explains that VASTFLUX evaded detection for an extensive period of time by deploying code that prevented the discovery of the scheme, and by not using ad verification tags, indicating that the fraudsters behind this operation possess an in-depth understanding of the digital advertising ecosystem.

Multiple ads rendering in invisible windows
HUMAN

Ad verification tags are small code snippets embedded in digital ads to allow marketers to measure performance. Third-party verification companies also use them to generate metrics like viewability, click-through rates, etc.

By not using ad verification tags, VASTFLUX remained essentially invisible despite its massive size.

Moreover, the C2 sent instructions to the injected scripts on how to spoof the publisher and app ID, which helped minimize the chances of being detected.

Spoofing ID instructions sent by the C2
HUMAN

Taking Down VASTFLUX

The Satori team discovered VASTFLUX almost by mistake while investigating a different malvertizing fraud scheme when they noticed that an app under examination in their lab generated multiple bid requests using different app IDs.

They reverse-engineered the attack and uncovered obfuscated JavaScript, eventually leading to the ad servers (C2) that sent instructions to the injected scripts.

Next, they collaborated with the HUMAN community to get additional insight into the scheme, appreciate its size, map it, identify all traffic sources, etc.

“From late June into July, HUMAN carried out three distinct mitigation responses to fight VASTFLUX. The first cut VASTFLUX traffic dramatically, but resulted in the bad actors adapting. The second, only a few days after the first, reduced VASTFLUX traffic to fewer than a billion requests a day: a 92% reduction from the operation’s peak. The third, about two weeks after the first response, further impaired VASTFLUX activity.”

HUMAN
Gradual take-down of VASTFLUX by the Satori team
HUMAN

After that, Satori informed the abused organizations to orchestrate a broader and more coordinated action against the fraud scheme. VASTFLUX responded by taking down the C2 servers, likely fearing identification and prosecution.

Signs of Adware

From the user’s perspective, in-app ads are part of the ordinary and expected experience, and malicious hijacks that generate revenue for malvertizing campaign operators aren’t easily discernible.

However, if you notice unusually high battery consumption by certain apps, inexplicable performance slow-downs, random device screen light-ups, and increased data usage, it might indicate that adware is running on your device.

About Heinrich Long

Heinrich is an associate editor for RestorePrivacy and veteran expert in the digital privacy field. He was born in a small town in the Midwest (USA) before setting sail for offshore destinations. Although he long chafed at the global loss of online privacy, after Edward Snowden’s revelations in 2013, Heinrich realized it was time to join the good fight for digital privacy rights. Heinrich enjoys traveling the world, while also keeping his location and digital tracks covered.

Reader Interactions

Comments

  1. Virtues are independent cosmic consciousness

    January 23, 2023

    Hi Sven Sir,
    Please cover this. Google advertisements are spreading malware. Even technically proficient people are getting infected and incurring heavy losses and damages by being hacked by hackers and malware writers.

    Google Search Ads Are Spreading Dangerous Viruses
    https://youtu.be/apji28Zrbis

    Malware in Google Ads: Fake OBS, VLC, Notepad++
    https://youtu.be/e6o2afben0s

    Reply
    • BoBeX

      January 23, 2023

      Hi @Virtues are independent cosmic consciousness,
      If you are interested in a deep dive into MalAdvertising this link may interest you:
      https://darknetdiaries.com/episode/44/
      RP ad-blocking solutions are discussed here:
      https://restoreprivacy.com/best-ad-blocker/
      GL,

      P.S. There are a lot of personal security / privacy guides on the RP homepage.

      Reply
  2. Detective Sven

    January 20, 2023

    Sven Sir please add a prominent donate button on restore privacy and expand restore privacy to become the privacy hub of internet and the torch bearer of human civilization and may be the entire cosmos for freedom and justice.

    Reply
  3. Happy Sven 😊

    January 20, 2023

    Sven Sir there has been a databreach at paypal. Please write an article about it.

    PayPal confirms data breach, sends warning emails to users
    https://www.techradar.com/news/paypal-confirms-data-breach-sends-warning-emails-to-users

    Reply
    • Bronco

      January 20, 2023

      T-Mobile, too.

      https://www.techradar.com/news/millions-of-t-mobile-customers-have-data-stolen-in-breach

      Reply
  4. Mute Mutt

    January 20, 2023

    I use Adguard Adblocker and it helps protect from all kinds of advertising. It is noteworthy that there are advertisements on private search engines too like Startpage and Duckduckgo. Probably without these advertisements these search engines won’t exist. Same for browsers like firefox and brave. But in case of Firefox and Brave they show first party advertisements which is a great way to support the developer as such advertisements load faster and are not abusive and invasive. But this isn’t the case with advertisements on privacy friendly search engines like Startpage and Duckduckgo. While these search engines themselves don’t collect and store user data like search queries, user agent and ip address. I fear when a person click on advertisements which are displayed first on these privacy friendly search engines the ip address some other information is sent to them. This is what is said by Alok, the privacy enthusiast and founder of Epic Browser. Epic developers also says that for this reason they haven’t incorporated these search engines in Epic Browser. They say they mailed these private search a lot to ask about what data they share with 3rd party and how they operate these advertisements but they didn’t disclose the information. Though Duckduckgo says these advertisements are based on user query and aren’t targeted. Duckduckgo also faced the heat from users and privacy community for not initially blocking Microsoft trackers on its privacy browsers. The truth is making a search engine requires a huge budget amounting to billions of dollars and Duckduckgo relies on Microsoft Bing for search results and is more of a meta search engine, just like Startpage is a proxy to Google search. The other option is to pay for search engine like Neeva and paid tier of Swisscow search engine. But since it is easy to block search engine advertisements on Duckduckgo and startpage and Duckduckgo also has a dedicated option in setting to disable advertisements, personally I won’t pay for a search engine, as I am already paying for a lot of privacy services and softwares. Also search engines are becoming less and less relevant each day with the rise of AI bots and internet is also getting dispersed into walled communities and services as now websites are demanding subscription and Facebook, Tik Tok, Reddit, Quora nag to create account or download app to use their service or pay for paid tier to access full content.
    Currently I rely on Startpage as my main search engine and Duckduckgo too as side search engine. Startpage doesn’t like vpns but I don’t face any issues with Nord, Surf shark and Atlas VPN, because they are great overcoming ip bans due to their high quality of service. I also use Google like a privacy friendly search engine using hermit sandbox enabled browser on Android with a vpn and on firefox on windows using container and again a VPN. Incognito mode and deleting cookies, with VPN and Adblocker is a great friend of online privacy. But both browser and BPN themselves should not be tracking users.

    Reply
  5. Police Sven 🚨

    January 20, 2023

    Thank you for the information. Does using Adblocker protects from this kind of threat?

    Reply
    • BoBeX

      January 20, 2023

      Hi @PoliceSven, The short answer is that it depends on what type of adblocking service you use and on the quality of the service you use. Sven explains it all here: https://restoreprivacy.com/best-ad-blocker/
      But in short something like Ublock Origin (which is fantastic) wouldn’t help because it only blocks ads in the browser and the problem discussed in this article is about in app ads. My preference for this problem is ad blocking by my vpn (Nord) but there other options discussed in the link
      GL,

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Sidebar

Digital Privacy Essentials:
Secure Browsers
Private Search Engines
Secure Email
Best Password Managers
Secure Messaging Services
Best Ad Blockers
Best VPN Services
Secure Cloud Storage

Privacy & Security Guides:
Privacy Tools
Alternatives to Google Products
Firefox Privacy Modifications
Five Eyes, 9 Eyes, 14 Eyes Spying
Browser Fingerprinting
Is Tor Safe?
Alternatives to Gmail
VPN vs Tor
Alternatives to WhatsApp
Is Your Antivirus Spying on You?
Controlling Communication Channels is Crucial for Privacy
Anonymity Networks: VPNs, Tor, and I2P
How to Really Be Anonymous Online
Private and Anonymous Payments

Secure Email Reviews:
ProtonMail Review
Tutanota Review
Mailfence Review
Mailbox.org Review
Hushmail Review
Posteo Review
Fastmail Review
Runbox Review
CTemplar Review
Temporary Email Services
Encrypted Email

Password Manager Reviews:
Bitwarden Review
LastPass Review
KeePass Review
NordPass Review
Dashlane Review
1Password Review
Best Password Managers

Secure Messaging App Reviews:
Wire Review
Signal Review
Threema Review
Telegram Review
Session Review
Wickr Review

Secure Cloud Storage Reviews
Tresorit Review
MEGA Cloud Review
Sync.com Review
Nextcloud Review
IDrive Review
pCloud Review
SpiderOak Review
NordLocker Review

How To Guides
How to Encrypt Files on Windows
How to Encrypt Email
How to Configure Windows 10 for Privacy
How to use Two-Factor Authentication (2FA)
How to Secure Your Android Device for Privacy
How to Secure Your Home Network
How to Protect Yourself Against Identity Theft
How to Unblock Websites
How to Fix WebRTC Leaks
How to Test Your VPN
How to Hide Your IP Address
How to Create Strong Passwords
How to Really Be Anonymous Online

About RestorePrivacy

Contact

Restore Privacy Checklist

  1. Secure browser: Modified Firefox or Brave
  2. VPN: NordVPN (68% Off Coupon) or Surfshark
  3. Ad blocker: uBlock Origin or AdGuard
  4. Secure email: Mailfence or Tutanota
  5. Secure Messenger: Signal or Threema
  6. Private search engine: MetaGer or Brave
  7. Password manager: NordPass or Bitwarden

About

Restore Privacy is a digital privacy advocacy group committed to helping people stay safe and secure online. You can support this project through donations, purchasing items through our links (we may earn a commission at no extra cost to you), and sharing this information with others. See our mission here.

We’re available for Press and media inquiries here.

Restore Privacy is also on Twitter

COPYRIGHT © 2023 RESTORE PRIVACY, LLC · PRIVACY POLICY · TERMS OF USE · CONTACT · SITEMAP